OCSP_resp_find_status (3)

Leading comments

Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)

Standard preamble:
========================================================================

(The comments found at the beginning of the groff file "man3/OCSP_resp_find_status.3ssl".)

NAME

OCSP_resp_get0_certs, OCSP_resp_get0_id, OCSP_resp_get0_produced_at, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity - OCSP response utility functions

SYNOPSIS

 #include <openssl/ocsp.h>

 int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                           int *reason,
                           ASN1_GENERALIZEDTIME **revtime,
                           ASN1_GENERALIZEDTIME **thisupd,
                           ASN1_GENERALIZEDTIME **nextupd);

 int OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
 int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
 int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                             ASN1_GENERALIZEDTIME **revtime,
                             ASN1_GENERALIZEDTIME **thisupd,
                             ASN1_GENERALIZEDTIME **nextupd);

 const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
                             const OCSP_BASICRESP* single);

 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);

 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                       const ASN1_OCTET_STRING **pid,
                       const X509_NAME **pname);

 int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                         ASN1_GENERALIZEDTIME *nextupd,
                         long sec, long maxsec);

DESCRIPTION

OCSP_resp_find_status() searches bs for an response for id. If it is successful the fields of the response are returned in *status, *reason, *revtime, *thisupd and *nextupd. The *status value will be one of V_OCSP_CERTSTATUS_GOOD, V_OCSP_CERTSTATUS_REVOKED or V_OCSP_CERTSTATUS_UNKNOWN. The *reason and *revtime fields are only set if the status is V_OCSP_CERTSTATUS_REVOKED. If set the *reason field will be set to the revocation reason which will be one of , , , , , , , or .

OCSP_resp_count() returns the number of

structures in bs.

OCSP_resp_get0() returns the

structure in bs corresponding to index idx. Where idx runs from 0 to OCSP_resp_count(bs) - 1.

OCSP_resp_find() searches bs for id and returns the index of the first matching entry after last or starting from the beginning if last is -1.

OCSP_single_get0_status() extracts the fields of single in *reason, *revtime, *thisupd and *nextupd.

OCSP_resp_get0_produced_at() extracts the producedAt field from the single response bs.

OCSP_resp_get0_certs() returns any certificates included in bs.

OCSP_resp_get0_id() gets the responder id of <bs>. If the responder

is a name then <*pname> is set to the name and *pid is set to If the responder is by key then *pid is set to the key and *pname is set to

OCSP_check_validity() checks the validity of thisupd and nextupd values which will be typically obtained from OCSP_resp_find_status() or OCSP_single_get0_status(). If sec is non-zero it indicates how many seconds leeway should be allowed in the check. If maxsec is positive it indicates the maximum age of thisupd in seconds.

RETURN VALUES

OCSP_resp_find_status() returns 1 if id is found in bs and 0 otherwise.

OCSP_resp_count() returns the total number of

fields in bs.

OCSP_resp_get0() returns a pointer to an

structure or if idx is out of range.

OCSP_resp_find() returns the index of id in bs (which may be 0) or -1 if id was not found.

OCSP_single_get0_status() returns the status of single or -1 if an error occurred.

NOTES

Applications will typically call OCSP_resp_find_status() using the certificate of interest and then check its validity using OCSP_check_validity(). They can then take appropriate action based on the status of the certificate.

An

response for a certificate contains thisUpdate and nextUpdate fields. Normally the current time should be between these two values. To account for clock skew the maxsec field can be set to non-zero in OCSP_check_validity(). Some responders do not set the nextUpdate field, this would otherwise mean an ancient response would be considered valid: the maxsec parameter to OCSP_check_validity() can be used to limit the permitted age of responses.

The values written to *revtime, *thisupd and *nextupd by OCSP_resp_find_status() and OCSP_single_get0_status() are internal pointers which

be freed up by the calling application. Any or all of these parameters can be set to if their value is not required.

SEE ALSO

crypto(3), OCSP_cert_to_id(3), OCSP_request_add1_nonce(3), OCSP_REQUEST_new(3), OCSP_response_status(3), OCSP_sendreq_new(3)

COPYRIGHT

Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the ``License''). You may not use this file except in compliance with the License. You can obtain a copy in the file

in the source distribution or at <www.openssl.org/source/license.html>.